日本語
한국어
Tiếng Việt
简体中文
The Federal Communications Commission (FCC) is poised to vote in November on a controversial proposal to repeal a vital ruling that mandates telecommunications providers to secure their networks. This significant policy shift comes at the explicit request of major lobby groups representing Internet service providers (ISPs).
FCC Chairman Brendan Carr has stated that the original ruling, adopted in January 2025 under previous leadership, “exceeded the agency’s authority and did not present an effective or agile response to the relevant cybersecurity threats.” Carr indicated the November 20 vote follows “extensive FCC engagement with carriers” who have reportedly taken “substantial steps… to strengthen their cybersecurity defenses.”
Biden-Era Ruling Sparked by Cyber Threats
The January 2025 declaratory ruling by the Biden-era FCC was a direct response to escalating cyberattacks, notably China’s “Salt Typhoon” campaign. This sophisticated infiltration targeted major telecom providers, including giants like Verizon and AT&T. The ruling asserted that the 1994 Communications Assistance for Law Enforcement Act (CALEA), a foundational law, “affirmatively requires telecommunications carriers to secure their networks from unlawful access or interception of communications.”
At the time, the FCC clarified that CALEA’s Section 105 obligations extended beyond just the equipment used, encompassing “how they manage their networks.” This included ensuring security against untrusted equipment suppliers who might “illegally activate interceptions or other forms of surveillance within the carrier’s switching premises without its knowledge.”
ISPs Successfully Lobby for Reversal
The original declaratory ruling also laid the groundwork for a Notice of Proposed Rulemaking, which would have introduced stricter, specific rules for network security. Chairman Carr, then a commissioner, had voted against this decision.
Despite the lack of specific rules at the time, the January order emphasized the ruling’s immediate teeth. It stated that even without further regulations, carriers would struggle to meet their CALEA obligations without adopting “basic cybersecurity practices.” Examples cited included:
- Implementing role-based access controls
- Changing default passwords
- Requiring minimum password strength
- Adopting multifactor authentication
- Patching known vulnerabilities
A failure to employ such best practices, the FCC warned, would appear to fall short of statutory requirements.
However, cable, fiber, and mobile operators strongly opposed the ruling. In February, a petition to reverse it was filed by powerful telecom lobby groups: CTIA-The Wireless Association, NCTA-The Internet & Television Association, and USTelecom-The Broadband Association. They argued that CALEA’s scope was limited to facilitating “lawful intercepts from law enforcement” and that the FCC lacked authority to set “technical standards under Section 105.”
FCC Shifts to “Voluntary Commitments”
A draft of the order set for November’s vote indicates the FCC will “rescind the declaratory ruling as unlawful and unnecessary, finding that the commission’s interpretation of CALEA was legally erroneous and ineffective at promoting cybersecurity.” It will also withdraw the Notice of Proposed Rulemaking, opting instead for “a targeted approach to promoting effective cybersecurity productions rather than a one-size-fits-all approach of a single rulemaking.”
The FCC leadership now expresses confidence in voluntary commitments from carriers. The draft order highlights agreements from providers to implement “additional cybersecurity controls,” including:
- Accelerated patching of outdated or vulnerable equipment
- Updating and reviewing access controls
- Disabling unnecessary outbound connections
- Improving threat-hunting efforts
Providers have also committed to increased cybersecurity information sharing with both the federal government and within the sector, marking a significant change from practices in January.
The current FCC argues that the previous leadership’s interpretation of CALEA was “unlawful.” They contend that a statute designed to ensure lawful wiretaps within a specific network portion was erroneously expanded to mandate “specific network management practices in every portion of their network.” CALEA, they underscore, requires carriers to ensure interceptions within their switching premises are activated only by court order and with carrier intervention.
Former Chair Defended “Common Sense” Security
Prior to the shift in FCC majority, then-Chairwoman Jessica Rosenworcel staunchly defended the declaratory ruling as “common sense.” She argued that the plain text of CALEA supported an affirmative duty for carriers to prevent unauthorized interception, emphasizing that carriers “shall ensure” only lawful interceptions occur.
Rosenworcel highlighted the necessity of modernizing rules in light of attacks like Salt Typhoon, which “breached nine domestic telecommunications and Internet service providers.” These attacks exploited “old equipment, facilities that had not been updated, and network components that lacked basic cybersecurity protocols.”
Under Chairman Carr, the FCC plans to address security through a more “collaborative” strategy, focusing on “federal-private partnerships that protect and secure communications networks and more targeted, legally sound rulemaking and enforcement.” This represents a significant pivot from the regulatory mandates previously championed to bolster the nation’s digital defenses.